QR code exploit hacks Google Glass to send what it sees to man in the middle

Lookoutmobile found a way to exploit QR codes in order to hack Google Glass (crowd cheers), Google has already patched it (crowd boos), but it's still a very interesting hack as it allowed Lookoutmobile to 'see' what the Google glass wearer was seeing. The idea of wearing tech that can watch what you're watching doesn't freak you out in this NSA day and age? Really? Hello? (crowd disperses to give attention to other shiny things.)

Here's a sweet looking animation from Lookoutmobile explaining what they did.

Hacking the Internet of Things for Good.

This is where we identified a significant security problem. While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.

Glass was hacked by the image of a malicious QR code. Both the vulnerability and its method of delivery are unique to Glass as a consequence of it becoming a connected thing.

AnonymousCoward's picture